From: Daniel Borkmann <daniel@iogearbox.net>
To: Edwin Peer <epeer@juniper.net>
Cc: Y Song <ys114321@gmail.com>,
"netdev@vger.kernel.org" <netdev@vger.kernel.org>,
"ast@kernel.org" <ast@kernel.org>, bpf <bpf@vger.kernel.org>
Subject: Re: [RFC PATCH bpf-next 0/2] unprivileged BPF_PROG_TEST_RUN
Date: Thu, 19 Dec 2019 16:47:04 +0100 [thread overview]
Message-ID: <20191219154704.GC4198@linux-9.fritz.box> (raw)
In-Reply-To: <69266F42-6D0B-4F0B-805C-414880AC253D@juniper.net>
On Thu, Dec 19, 2019 at 02:50:42PM +0000, Edwin Peer wrote:
> On 12/18/19, 23:19, "Y Song" <ys114321@gmail.com> wrote:
>
> > Added cc to bpf@vger.kernel.org.
>
> Thank you, I will remember to do this next time.
>
> > Have you tried your patch with some bpf programs? verifier and jit put some
> > restrictions on unpriv programs. To truely test the program, most if not all these
> > restrictions should be lifted, so the same tested program should be able to
> > run on production server and vice verse.
>
> Agreed, I am aware of some of these differences in the load/verifier behavior with and without
> CAP_SYS_ADMIN. In particular, without CAP_SYS_ADMIN programs are still restricted to 4k, some helpers are not available (spin locks, trace printk) and there are some differences in context access checks.
>
> I think these can be addressed incrementally, assuming folk are on board with this approach in general?
What about CAP_BPF? IIRC, there are also other issues e.g. you could abuse
the test interface as a packet generator (bpf_clone_redirect) which is not
something fully unpriv should be doing.
Thanks,
Daniel
next prev parent reply other threads:[~2019-12-19 15:47 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20191219013534.125342-1-epeer@juniper.net>
2019-12-19 7:19 ` [RFC PATCH bpf-next 0/2] unprivileged BPF_PROG_TEST_RUN Y Song
2019-12-19 14:50 ` Edwin Peer
2019-12-19 15:47 ` Daniel Borkmann [this message]
2019-12-19 17:05 ` Edwin Peer
2019-12-19 19:26 ` Alexei Starovoitov
2019-12-19 20:06 ` Edwin Peer
2019-12-19 21:52 ` Alexei Starovoitov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191219154704.GC4198@linux-9.fritz.box \
--to=daniel@iogearbox.net \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=epeer@juniper.net \
--cc=netdev@vger.kernel.org \
--cc=ys114321@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).